Solved: Why do these seemingly identical searches return d...

CarbonCriterium · ‎08-18-2020

I have four versions of a nearly identical search. The last one returns a completely different result. What is it about the interaction of the "sort" and "head" commands that changes the outcome?

...| stats sum(eval(sc_bytes/1073741824)) AS Gigabytes by cs_uri_stem | sort -sc_bytes
...| stats sum(eval(sc_bytes/1073741824)) AS Gigabytes by cs_uri_stem | sort -Gigabytes
...| stats sum(eval(sc_bytes/1073741824)) AS Gigabytes by cs_uri_stem | sort -Gigabytes | head 100
...| stats sum(eval(sc_bytes/1073741824)) as Gigabytes by cs_uri_stem | sort -sc_bytes | head 100

Nisha18789 · ‎08-19-2020

hi @CarbonCriterium , can you try this once and see it that helps

..| stats sum(sc_bytes) as bytes by cs_uri_stem | eval Gigabytes=bytes/1073741824|sort - Gigabytes | head 100

View solution in original post

Nisha18789 · ‎08-19-2020

Hi @CarbonCriterium , in the last query

..| stats sum(eval(sc_bytes/1073741824)) as Gigabytes by cs_uri_stem | sort -sc_bytes | head 100

below sort will do nothing as the field used for sorting does not exist in the result

...| sort -sc_bytes

and below is taking 100 results (after the stats command) from the top

....| head 100

Are you seeing any different behavior?

CarbonCriterium · ‎08-19-2020

The head command appears to work correctly, but the results do not match up. In the attached screenshot the values that have the greatest value in GB do not have the greatest value in Bytes.

Nisha18789 · ‎08-19-2020

hi @CarbonCriterium , can you try this once and see it that helps

..| stats sum(sc_bytes) as bytes by cs_uri_stem | eval Gigabytes=bytes/1073741824|sort - Gigabytes | head 100

Why do these seemingly identical searches return different results when sorted?

eval

Other

stats

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout